scripts: west_commands: update ncs-provision to work with new key format

The .json format used to pass key information to nrfutil device has been
changed, this is an update will make ncs-provision use the new format.

Signed-off-by: Even Falch-Larsen <[email protected]>
Signed-off-by: Grzegorz Chwierut <[email protected]>

Author: evenl

scripts/generate_psa_key_attributes.py

@@ -17,6 +17,8 @@
 from pathlib import Path
 from enum import IntEnum
 from cryptography.hazmat.primitives import serialization
+from typing import BinaryIO
+
 
 class PsaKeyType(IntEnum):
     """The type of the key"""
@@ -39,19 +41,33 @@ class PsaUsage(IntEnum):
     VERIFY_MESSAGE_EXPORT = 0x0801
     ENCRYPT_DECRYPT = 0x0300
     USAGE_DERIVE = 0x4000
+    ENCRYPT_DECRYPT_EXPORT_COPY = 0x0303
+    ENCRYPT_DECRYPT_EXPORT = 0x0301
+    SIGN_VERIFY_EXPORT = 0x3C01
+
 
 class PsaCracenUsageSceme(IntEnum):
-    NONE = 0xff
+    NONE = 0xFF
     PROTECTED = 0
     SEED = 1
     ENCRYPTED = 2
     RAW = 3
 
+
 class PsaKeyLifetime(IntEnum):
-    """Lifetime and location for storing key"""
+    """Lifetime for key"""
+
+    PERSISTENCE_VOLATILE = 0x00
+    PERSISTENCE_DEFAULT = 0x01
+    PERSISTENCE_REVOKABLE = 0x02
+    PERSISTENCE_READ_ONLY = 0x03
 
-    PERSISTENT_CRACEN = 0x804E0001
-    PERSISTENT_CRACEN_KMU = 0x804E4B01
+
+class PsaKeyLocation(IntEnum):
+    """Location for storing key"""
+
+    LOCATION_CRACEN = 0x804E0000
+    LOCATION_CRACEN_KMU = 0x804E4B00
 
 
 class PsaAlgorithm(IntEnum):
@@ -63,28 +79,33 @@ class PsaAlgorithm(IntEnum):
 
 
 class PlatformKeyAttributes:
-    def __init__(self,
-                 key_type: PsaKeyType,
-                 identifier: int,
-                 location: PsaKeyLifetime,
-                 usage: PsaUsage,
-                 algorithm: PsaAlgorithm,
-                 size: int,
-                 cracen_usage: PsaCracenUsageSceme = PsaCracenUsageSceme.NONE):
-
+    def __init__(
+        self,
+        key_type: PsaKeyType,
+        identifier: int,
+        location: PsaKeyLocation,
+        lifetime: PsaKeyLifetime,
+        usage: PsaUsage,
+        algorithm: PsaAlgorithm,
+        size: int,
+        cracen_usage: PsaCracenUsageSceme = PsaCracenUsageSceme.NONE,
+    ):
         self.key_type = key_type
-        self.lifetime = location
+        self.location = location
+        self.lifetime = lifetime
         self.usage = usage
         self.alg0 = algorithm
         self.alg1 = PsaAlgorithm.NONE
-        self.bits = size
+        self.size = size
         self.identifier = identifier
 
-        if location == PsaKeyLifetime.PERSISTENT_CRACEN_KMU:
+        if location == PsaKeyLocation.LOCATION_CRACEN_KMU:
             if cracen_usage == PsaCracenUsageSceme.NONE:
-                print("--cracen_usage must be set if location target is PERSISTENT_CRACEN_KMU")
+                print(
+                    "--cracen_usage must be set if location target is PERSISTENT_CRACEN_KMU"
+                )
                 return
-            self.identifier = 0x7fff0000 | (cracen_usage << 12) | (identifier & 0xff)
+            self.identifier = 0x7FFF0000 | (cracen_usage << 12) | (identifier & 0xFF)
 
         if self.key_type == PsaKeyType.AES:
             self.alg1 = PsaAlgorithm.NONE
@@ -97,12 +118,11 @@ def __init__(self,
 
     def pack(self):
         """Builds a binary blob compatible with the psa_key_attributes_s C struct"""
-
         return struct.pack(
             "<hhIIIIII",
             self.key_type,
-            self.bits,
-            self.lifetime,
+            self.size,
+            self.location | (self.lifetime & 0xFF),
             # Policy
             self.usage,
             self.alg0,
@@ -111,22 +131,73 @@ def pack(self):
             0,  # Reserved, only used if key id encodes owner id
         )
 
+
 def is_valid_hexa_code(string):
     try:
         int(string, 16)
         return True
     except ValueError:
         return False
 
-def main() -> None:
+
+def generate_attr_file(
+    attributes: PlatformKeyAttributes,
+    key_value: str | None = None,
+    key_file: str | None = None,
+    trng_key: bool = False,
+    key_from_file: BinaryIO | None = None,
+    bin_out: bool = False,
+) -> None:
+    metadata_str = binascii.hexlify(attributes.pack()).decode("utf-8").upper()
+
+    if key_file and Path(key_file).is_file():
+        with open(key_file, encoding="utf-8") as file:
+            json_data = json.load(file)
+    else:
+        json_data = json.loads('{ "version": 0, "keyslots": [ ]}')
+
+    if trng_key:
+        value = f"TRNG:{int(math.ceil(attributes.size / 8))}"
+    elif key_value:
+        key = key_value.removeprefix("0x")
+        if not is_valid_hexa_code(key):
+            print("Invalid KEY value")
+            return
+        value = f"0x{key}"
+    elif key_from_file:
+        key_data = key_from_file.read()
+        try:
+            public_key = serialization.load_pem_public_key(key_data)
+        except ValueError:
+            # it seems it is not public key, so lets try with private
+            private_key = serialization.load_pem_private_key(key_data, password=None)
+            public_key = private_key.public_key()
+        value = f"0x{public_key.public_bytes_raw().hex()}"
+    else:
+        print("Expecting either --key, --trng-key or --key-from-file")
+        return
+
+    json_data["keyslots"].append({"metadata": f"0x{metadata_str}", "value": f"{value}"})
+    output = json.dumps(json_data, indent=4)
+
+    if key_file is not None:
+        with open(key_file, "w", encoding="utf-8") as file:
+            file.write(output)
+    elif bin_out:
+        sys.stdout.buffer.write(attributes.pack())
+    else:
+        print(output)
+
+
+if __name__ == "__main__":
     parser = argparse.ArgumentParser(
         description="Generate PSA key attributes and write to stdout or"
-                    "create or append the information including the key to a"
-                    "nrfutil compatible json file. Also supports reading key"
-                    "from a PEM file in some cases. Key source can either be"
-                    "a RAW key using the --key argument, a randomly generated"
-                    "key using the --trng-key argument or a public key can be"
-                    "read from a .PEM file. These are mutual exclusive.",
+        "create or append the information including the key to a"
+        "nrfutil compatible json file. Also supports reading key"
+        "from a PEM file in some cases. Key source can either be"
+        "a RAW key using the --key argument, a randomly generated"
+        "key using the --trng-key argument or a public key can be"
+        "read from a .PEM file. These are mutual exclusive.",
         allow_abbrev=False,
     )
 
@@ -174,6 +245,14 @@ def main() -> None:
         help="Storage location",
         type=str,
         required=True,
+        choices=[x.name for x in PsaKeyLocation],
+    )
+
+    parser.add_argument(
+        "--lifetime",
+        help="Persistence level",
+        type=str,
+        required=True,
         choices=[x.name for x in PsaKeyLifetime],
     )
 
@@ -223,55 +302,22 @@ def main() -> None:
 
     args = parser.parse_args()
 
-    metadata = PlatformKeyAttributes(key_type=PsaKeyType[args.type],
-                              identifier=args.id,
-                              location=PsaKeyLifetime[args.location],
-                              usage=PsaUsage[args.usage],
-                              algorithm=PsaAlgorithm[args.algorithm],
-                              size=args.size,
-                              cracen_usage=PsaCracenUsageSceme[args.cracen_usage]).pack()
-
-    metadata_str = binascii.hexlify(metadata).decode('utf-8').upper()
-
-    if args.file and Path(args.file).is_file():
-        with open(args.file, encoding="utf-8") as file:
-            json_data= json.load(file)
-    else:
-        json_data= json.loads('{ "version": 0, "keyslots": [ ]}')
-
-    if args.trng_key:
-        value  = f'TRNG:{int(math.ceil(args.size / 8))}'
-    elif args.key:
-        key = args.key
-        while key.startswith("0x"):
-            key = key.removeprefix("0x")
-        if not is_valid_hexa_code(key):
-            print("Invalid KEY value")
-            return
-        value = f'0x{key}'
-    elif args.key_from_file:
-        key_data = args.key_from_file.read()
-        key = serialization.load_pem_public_key(key_data)
-        key = key.public_bytes(
-            encoding=serialization.Encoding.Raw,
-            format=serialization.PublicFormat.Raw
-        )
-        value = f'0x{key.hex()}'
-    else:
-        print("Expecting either --key, --trng-key or --key-from-file")
-        return
-
-    json_data["keyslots"].append({"metadata": f'0x{metadata_str}', "value": f'{value}'})
-    output = json.dumps(json_data, indent=4)
-
-    if args.file:
-        with open(args.file, "w", encoding="utf-8") as file:
-            file.write(output)
-    elif args.bin_output:
-        sys.stdout.buffer.write(metadata)
-    else:
-        print(output)
-
+    attr = PlatformKeyAttributes(
+        key_type=PsaKeyType[args.type],
+        identifier=args.id,
+        location=PsaKeyLocation[args.location],
+        lifetime=PsaKeyLifetime[args.lifetime],
+        usage=PsaUsage[args.usage],
+        algorithm=PsaAlgorithm[args.algorithm],
+        size=args.size,
+        cracen_usage=PsaCracenUsageSceme[args.cracen_usage],
+    )
 
-if __name__ == "__main__":
-    main()
+    generate_attr_file(
+        attributes=attr,
+        key_value=args.key,
+        bin_out=args.bin_output,
+        trng_key=args.trng_key,
+        key_from_file=args.key_from_file,
+        key_file=args.file,
+    )

scripts/tests/conftest.py

@@ -8,4 +8,3 @@
 
 # make all scripts importable in tests
 sys.path.insert(0, str(Path(__file__).parents[1]))
-sys.path.insert(0, str(Path(__file__).parents[1].joinpath('west_commands')))